By Sascha Segan
Oct.
16 — Federal officials have criticized security at
the Federal Aviation Administration, but former and current FAA systems
administrators tell ABCNEWS.com the problem is even worse than has been
admitted, and almost anyone with a little technical savvy could break into
the system and shut down radar at major air hubs around the
nation.
The administrators
say that with an ordinary home computer, a few freely available programs
and the right password, anyone could dial into a secure FAA maintenance
system. Once inside, they would have access to the computers that are used
to control airport radar systems.
What’s
more, thousands of unsecured laptops used by FAA employees, some
pre-programmed with important passwords, could provide the wrong people
with shortcuts into the system if they were lost or stolen, the
administrators said.
“If this thing fell into
the wrong hands, a terrorist could really do some damage,” retired FAA
administrator Norm Haase said.
A report from
the congressional General Accounting Office, released Sept. 27, condemned
the FAA for having lousy security and hinted at the potential for computer
break-ins. The administrators gave clear details — and explained how easy
it really is to wreak havoc on FAA systems.
Security experts, including notorious reformed computer criminal Kevin
Mitnick, agreed with the administrators’ assessment and said they could
probably break into an air traffic Maintenance Control System in anywhere
from five minutes to a week, given the security structure the
administrators described.
An FAA spokeswoman
said the agency couldn’t talk about specifics, but that it was aware of
the security flaws and was working to fix
them.
“Potential areas of vulnerability in the
MCS … have been identified, with the appropriate security countermeasures
implemented,” Tammy Jones said.
But the GAO
report said the FAA has a poor track record on following its own security
policies, saying the agency has made “little progress” swatting “known,
exploitable bugs” and that two out of three systems tested for
hack-ability a year ago have yet to be fixed.
And the system is vulnerable from the inside as well. The agency never
updated its security regime after a 1996 reorganization, leaving many
employees with greater access than they should have, administrators said.
Open
Access
Administrators need to get to their maintenance
systems 24 hours a day, often from home — for instance, to fix urgent
system problems that come up in the middle of the night. If the remote
access was secure, it wouldn’t be a problem, experts
said.
But the systems use unencrypted
connections over public phone lines. That means any hacker can get in with
a “war dialer” (an early-1980s piece of software that dials a lot of phone
numbers, searching for computer modem tones), the right passwords, and an
obscure but free program for connecting to mainframes. It would be the
same sort of attack that hackers have used repeatedly to compromise
numerous corporate computer systems, as well as some in
government.
The laptops make break-ins even
easier, and more than 3,700 have been distributed nationwide, according to
Haase. Some have pre-programmed phone numbers and passwords for various
FAA systems, many with passwords for the MCS. Some, he said, have already
been lost.
The laptops don’t have to be
stolen, said Jim Jones, director of response services for computer
security firm Global Integrity. As they’re also used for private e-mail, a
Trojan Horse program could be sent through e-mail, which would redirect
passwords and phone numbers into the wrong hands.
Gaining
Control
The maintenance systems, known as the Maintenance
Management System and the Monitor Control System, allow administrators to
shut down, restart and reorient the radars and instruments that feed into
air traffic controllers’ screens.
“You can’t
access ATC command stations remotely, but you can screw up the data going
into them,” Haase said.
The dial-up systems
don’t encrypt their data, which would prevent passwords from being stolen
through wiretaps. Encrypting the laptop hard drives would make them
useless to unauthorized users, and the FAA had a plan to do that but
hasn’t followed through, Haase said.
The
systems aren’t classified, either, so they don’t have to conform to
regulations on classified data.
The agency
owns “dialback” modems which only accept calls from pre-screened phone
numbers, but doesn’t use them much.
“I won’t
say that they used them, but they were there,” another retired FAA
administrator said.
Fortunately, there’s no
firm evidence that hackers have ever broken into critical FAA systems,
though a Colorado teenager hacked into agency mail and Web servers last
year. Few hackers are familiar with the FAA’s mainframes, and
administrators said fewer are interested in breaking into a low-profile
system that isn’t connected to the Internet.
Hack
Attacks
Mitnick, a reformed ex-computer criminal who now
speaks on computer security issues, said someone with his skills would
have no problem breaking into the FAA’s system.
A break-in artist could use a war dialer to
find the right phone number and smooth talk to trick users into revealing
passwords, or could reroute the phone number to a decoy system which would
appear to be the real one, but would just capture
passwords.
“I could have a valid user name and
password in less than five minutes,” he said.
The central problem is that the systems are accessible through public
phone lines, he said.
Bob Miller, deputy
director of the federal Critical Infrastructure Assurance Center, said the
FAA’s security was no worse than that of many major corporations.
Personnel
Problems
Even if outsiders don’t crack into FAA systems,
security within the agency is lax, administrators
said.
“It’s the insider threat that worries
most of the security people” in government, said
Miller.
The GAO report said the FAA hadn’t
done background checks on many employees and contractors — including
Chinese nationals hired as part of the effort to head off the Y2K bug, and
“penetration testers” who were assigned to break into sensitive systems
and diagnose security flaws.
A current FAA
computer system administrator who did not want to be identified said that
after a reorganization in 1996, many employees were left with security
levels much higher than necessary — levels that could allow them to access
personal data about other employees, or systems they don’t necessarily
supervise.
“They can look at personnel records
for anybody across the whole maintenance organization,” he
said.
The administrator also backed up the GAO
report’s conclusion that FAA employees haven’t been properly trained on
computer security, violating an FAA policy.
“Security varies widely from one place to another,” he said.
Denying
Knowledge
At a hearing before the House Science Committee
last week, FAA head Jane Garvey said she hadn’t known about the agency’s
security problems until the GAO brought them up, and that the agency was
working on them.
But the FAA adminstrators
disagreed: they said they’d brought various concerns to higher-ups as far
back as 1996.
“I specifically, for the last
four years or more, have been screaming and hollering about computer
security and the access problems,” Haase said.
Science committee chairman Jim Sensenbrenner, R-Wis., said the FAA has had
to be brought into security awareness “kicking and screaming” — but that
the final responsibility for safety lies with the
agency.
“It is your job to be proactive on
this,” he told Garvey.
FAA spokeswoman Jones
said the agency is fixing the security holes. But one current FAA system
administrator is still worried.
“The FAA has this wonderful mentality of not
reacting to something until it’s already happened,” he said. “Until there
is some kind of incident, they don’t tend to be genuinely proactive.”
|
|
W E B
L I N K S
FAA
GAO
|
HOME.gif){kind=spacer}
BUSINESS
